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Abstract 

In this article, we are interested in the physical model of general quantum protocols implementing 
secure two-party computations in the light of Mayers' and Lo's & Chau's no-go theorems of bit 
commitment and oblivious transfer. In contrast to the commonly adobted quantum pure two- 
party model in the literature where classical communication is normally ignored, we propose an 
alternative interpretation for the purification of classical communication in two-party protocols 
by introducing a quantum third party for the classical channel. This interpretation leads to a 
global three-party model, involving Alice's and Bob's machines and the environment coupled to 
the macroscopic channel, using the decoherence scheme in quantum measurements. This model 
could give a more general view on the concealing/binding trade-off of quantum bit commitment 
protocols. 

Inspired from this three-party interpretation, we extend the no-go theorems for denying some 
classes of two-party protocols having access to some particular quantum trusted third-parties, 
known as quantum two-party oracles. The extension implies that a quantum protocol for imple- 
menting secure two-party computations musts have access to a trusted third-party which erases 
information and thus makes dissipation of heat to the environment. 
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I. INTRODUCTION 



Bit commitment (BC) and oblivious transfer (OT) are two fundamental primitives of 
Modern Cryptography, used for the construction of secure computations for generic two- 
party functions^. Let's recall the definitions: 

Definition 1 (Bit Commitment). Bit commitment is a two-phase protocol. In the first 
phase, Alice sends commitment information about a secret bit to Bob such that Bob cannot 
discover Alice's secret bit from the commitment information ( concealing ). After an arbi- 
trarily long time, in the second phase, Alice is supposed to open the secret bit to Bob who 
can successfully detect if dishonest Alice tries to open the opposite value of the committed 
bit (hm&ing). 

Definition 2 (Oblivious Transfer). Oblivious transfer is an asymmetrical transmission pro- 
tocol permitting Alice to send two secret bits to Bob who is allowed to choose to get one and 
only one of these bits while Alice cannot know Bob's choice. 

Besides, there is another closely related primitive for secure two-party computations, 
named coin flipping (or coin tossing)^: 

Definition 3 (Coin Flipping). Coin flipping is a protocol for Alice and Bob sharing a fairly 
random bit, i.e. none of the parties can affect the probability distribution of the outcome. 

BC and OT are equivalent as it was shown that bit commitment can be implemented 
upon oblivious transfer-, while oblivious transfer can be built from bit commitment by 
transmitting quantum information^. Coin flipping can be trivially implemented upon bit 
commitment and oblivious transfer-. 

Within the classical concepts of information processing, such two-party protocols can be 
implemented with computational security based on unproven assumptions of intractability 
in the modern computing model^. Furthermore, due to the symmetry in trivial commu- 
nications, these protocols cannot be made from scratch with unconditional security^, as 
defined by information theory^. 

When passing to quantum information era, researchers have much interest to build un- 
conditionally secure cryptographic applications based on special features of quantum me- 
chanics^. However, while quantum key distribution had been proved to be secure*^, two 
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no-go theorems were issued: quantum bit commitment is impossible^ 1 ^; quantum secure 
two-party computations and so oblivious transfer are impossible^. Note that coin flipping 
is also banned from being implemented in the scope of quantum mechanics^, even with 
arbitrarily small bias^. Besides, it has been figured out in^ that quantum bit commitment 
cannot be built from coin flipping. 

Mayers' and Lo's-Chau's proofs for the impossibility of quantum bit commitment is de- 
rived from a property of pure quantum two-party states. In this pure quantum two-party 
model, a quantum bit commitment protocol cannot be concealing and binding: if a bit 
commitment protocol is secure against Bob, then Alice has a local transformation to suc- 
cessfully change her secret at the opening phase^ 1 ^. The same property of pure quantum 
two-party models was also found to deny quantum oblivious transfer in a more sophisticated 
proof^. Because of their similarity, one used to talk only about the no-go theorem for bit 
commitment. 

However, the claim of the generality of the theorem caused controversial discussions. 
Many doubt the validity of the model used in the proofs for all possible hybrid proto- 
cols which could incorporate classical computations and communications^^^>22£L>22>22. It 
requires further interpretation to fit general two-party protocols into the pure quantum 
two-party model. 

In the literature, the no-go theorem was commonly approached in an indirect manner 
using the reduction scheme. It gave only a physical interpretation of quantum purification 
made by Alice and Bob for classical computations and private random variables. The com- 
munication of classical messages was logically interpreted in a reduced two-party quantum 
modet^ 1 ^, not physically. A direct interpretation was made by Mayers who treated the mea- 
surements made for producing classical messages^. In Mayers' interpretation, the protocol 
is projected into collapsed sub-protocols corresponding to exchanged classical messages, and 
the no-go theorem is applied to each pure two-party model of each sub-protocol. 

One could say that the theorems on the impossibility of unconditionally secure quantum 
bit commitmentr^ 1 ^, and on the possibility of unconditionally secure quantum key distribu- 
tion^^, are among the most interesting subjects in the field of quantum cryptography, and 
furthermore lead to philosophical feedbacks to quantum theory^^. 
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Motivation and Contributions 

In this paper, we are interested in the global physical model interpreting all partici- 
pating quantum systems in general quantum protocols for implementing secure two-party 
computations, in the light of the no-go theorems. 

First, we revisit the physical model of general quantum two-party protocols. We propose 
an alternative interpretation for the purification of classical communication by introducing 
a quantum third party for a macroscopic channel. This interpretation leads to a global 
three-party model, involving Alice's and Bob's machines and the environment coupled to 
the classical channel, referring to the decoherence model in quantum measurements. We also 
find that, in this three-party model, if a bit commitment protocol is concealing, than Alice 
has a local transformation to cheat. This three-party model interprets the physical systems 
in general protocols more faithfully than the reduce two-party model in the literature^ 1 ^. 
Moreover, it could give a more global view on the average concealment and binding param- 
eters of a general protocol, in comparison with Mayers' one which treats each individual 
sub-protocol^. 

Inspired from this three-party interpretation, we extend the no-go theorems for two-party 
protocols having access to some particular quantum trusted third-parties, named quantum 
two-party oracles, where no information is erased from the view of Alice and Bob. This 
extension covers a no-go result similar to Kent's one for coin-flipping-based protocols^. 

This extension of no-go theorems implies that a quantum protocol for implementing secure 
two-party computations musts have access to a trusted third-party which erases information 
and thus makes dissipation of heat to the environment. Nevertheless, we can build classical 
oracles which do logical reversible computations for implementing oblivious transfer. That 
leads to a discussion on the physical nature of classical information. 

Organization of The Paper 

In Section [Til we expose an overview on the no-go theorem of quantum bit commitment. 
In Section lllfl we present our physical interpretation for general two-party protocols with 
a three-party model regarding the presence of a macroscopic channel. In Section IIV[ we do 
some studies on particular oracle based protocols which are penalized by the no-go theorem. 
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Then in Section |V] we show that coin flipping belong to this class of oracles and cannot 
help to implement bit commitment. Finally, in Section IVIj we discuss the implementation 
of unconditionally secure two-party computations' primitives and the physic of classical 
information from a thermodynamical view point. 

II. OVERVIEW ON NO-GO THEOREM OF QUANTUM BC 
A. Canonical Theorem 

In this section, we expose the canonical no-go theorem for quantum deterministic protocol 
executed on a pair of Alice and Bob quantum machines which interact by communicating 
quantum signal. Formally, a computation is an evolution in time of the computational 
configuration that consists of variables (systems) which are assigned with values (states) 
following a prescribed algorithm. In the quantum world the configuration at one moment 
is described by the state of all participating quantum systems at that moment. For a two- 
party protocol, the transition from one configuration to another successive configuration is 
made by local unitary transformations at Alice's and Bob's sides and by the communications 
between them. The communication of quantum signal is considered as quantum particles 
are faithfully brought from sender's machine to receiver's machine. 

Any bit commitment protocol can be seen as a two-phase computation, jointly made by 
Alice and Bob. After the first phase - commit phase, the computation is interrupted, and 
then continued in the second phase - opening phase. The computation takes Alice secret 
bit to be committed to Bob as input, and give one of three outputs: - if Bob is convinced 
that Alice's input is b = 0; 1 - if Bob is convinced that Alice's input is b = 1; and _L if any 
cheating user is detected by the other. 

As the detection of Bob's cheating would rather be made before the opening phase, 
we are only interested in the privacy against Bob's (concealment) and the detection of 
Alice's cheating (binding), once the commit phase has ended, i.e. the computation has been 
interrupted. 

In a deterministic bit commitment protocol, according to a deterministic algorithm, Alice 
and Bob must prepare two quantum systems A and B, characterized by 7i = H.A-tnit ® 
TiB,init, initially in a certain determined pure state \ifj(b) init } = \ip(b)} A>init |0) Bjinit . At step 
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i, Alice and Bob realize a joint computation Ui = Ua,i ® Ub,% on |-0(&)j_i) to get and 
exchange some subsystems in communication. Then, the configuration \ifj(b)i) is split into 
two parts according to the new decomposition 7i = 'H.A,i® r tlB,i- Here, Ti is invariant, but its 
decomposition into Alice and Bob's parts varies with communications. For simplifying, we 
will use TCa, 'Hb instead of Ti.A,i, Ti-B,i to implicitly specify the decomposition at the moment 
of speaking. 

The computation is then a determined sequence of configurations \^{b)i n i t ) , .., \^{b) fi na i)- 
At step i, the corresponding configuration \^(b)i) is split into two partial configurations at 
Alice and Bob sides: 

/(6) i =MI*(6)i> 

If the protocol is unconditionally concealing then Bob have not to be able to distinguish 
p B (0)i from p B (l)i for all i < int where int is the interruption step, i.e. Wi < int,p B (0)i = 
p B {l)i. Here, it suffices to be only interested in p jB (0) i = p B (l)i at the interruption step 
i = int. 

We could expect that Alice cannot replace p A (0) int with p A (l)j„t and vice-versa because 
of the entanglement in |\l/(6)j nt ). Unfortunately, following^, in case p B (0)i n t = p B (l)i n t, 
there exists a unitary transformation Ua acting in H,a that maps |\l/(l)j n4 ) into ^(O)^). 
Therefore, Alice can replace the partial configuration by the operators Ua and U^ 1 . 

More generally, quantum model allows a non-ideal unconditional security, i.e p B (0)i n t ~ 
p s (l)mt- The security of Alice's bit can be measured by the distinguishability between 
P S (0)mt and p B (l)i n t, for instance the fidelity of quantum states: 

F(p B (0),p B (l))>l-e. (1) 

The extension of Uhlmann's theorem^— - exercise 9.15) states that there exists a purifica- 
tion l^'(O)mt) of p B {l) int such that 

| (y(0) mt \ *'(0) int ) | = F(p B (0) mU p B (l) mt ) > 1 - e. 

Recall that, as \^'(0)i nt ) and \^/(l) int ) are two purifications of p B (l)i nt , there exists a uni- 
tary transformation for Alice to switch between \^f'(0)i n t) and 1^(1)^). Therefore, sup- 
pose that Alice has began the computation for b = 1, she can cheat by transforming 
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\^f(l)i nt ) into \ty'(0)int) and declaring 6 = 0. The opening phase will be continued with 
|\&'(0)j re i + i) , ... \ty'(Q) final) under unitary transformations. So: 

final final) | >l-e. 

A measure for the success of Alice's cheating is 

i ? (p B (0)/ i naZ,p /B (0) / inaO- 

Following Uhlmann's theorem (— - theorem 9.4), we have 

^(p(0)?w,p' B (0)/w) > | (*(0)f inal \*'(0)f inal ) | 

>l-e. (2) 

Therefore, in a pure deterministic quantum model, we cannot have a bit commitment pro- 
tocol that is both concealing and binding. Moreover, the more a protocol is concealing, the 
more it is binding, by the measure of quantum fidelity, cf. Eqs. (CO),©. 



B. Interpretation for Generality 

A major objection to MLC no-go theorem is that it is "too simple to be true" for all 
possible protocols where Alice and Bob 

1. do measurement on their quantum systems and pass to classical computation; and 
introduce secret variables; 

2. communicate classical information through a macroscopic channel that does permit to 
transmit quantum signal. 

Most of attention were paid to explain private classical variables in computa- 
tions^^^ 1 ^. With unbounded quantum machines, Alice and Bob are allowed to keep 
all of the computations at quantum level where all probabilist choices can be purified by 
appropriate additional quantum dices. For instance, to create a classical binary random 
variable x, in state |0) or |1) with probability 1/2, one prepares two system x,y jointly 
in entangled state (lO^Oy) + \l x l y )) /\^2 and use only system x for the computation. The 
purified protocol becomes deterministic, acting on a larger quantum system encompassing 
Alice's and Bob's additional dices for purifying private classical random variables. Then, 
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as shown in the canonical theorem, this two-party purified protocol cannot implement bit 
commitment. 

In^i2£, Yuen raised the problem of secret variables which questioned that if Bob really 
did the measurements, then the whole system might be projected into a secret collapsed 
state corresponding to Bob's secret value and Alice would not know the corresponding 
cheating transformation. This was successfully treated in^^, showing that Alice's cheating 
transformation is universal for ideal and nearly ideal protocols. 

However, the classical communication is normally omitted with some assumptions on the 
communication: "classical communication can be carried out by quantum model, but with 
some constraints"—. But what are the constraints? 

Imagine that in the specification of a protocol, at a certain moment, a party S has 
to measure a certain quantum state with an apparatus of n degrees of freedom and 
communicate the outcome to the other via a classical channel. This measurement will output 
% G {l,..,n} with probability p(i) and set the measured system in state \ipi) s - Receiving 
the classical value i, the receiver's apparatus R generates n-dimension variable in basis state 
\i) R for further computations. 

Of course, we can reduce this communication to a pure two-party quantum model where 
the sender realizes a transformation 

n 

1=1 

and the protocol is emulated correctly because the density-matrix description of each system 
is the same as though a real measurement is done^ 1 ^. The protocol configuration is then 
reduced to a two-party model consisting of Alice's and Bob's machines. And by the purifi- 
cation of private random variables, the reduced model becomes a pure quantum two-party 
state which is not allowed to implement bit commitment. 

However, the above reduced model for classical communications does not interpret what 
really happen in the physical world. From the physical view point, the classical channel 
does not appear in this reduced two-party quantum model. Indeed, in a generic protocol, 
the communication of classical messages forces destroying the purity of two-party states. 

What is the difference between a quantum channel and a classical one? A quantum 
channel is a medium that we can use to directly transmit a quantum state without disturbing 
it. Nevertheless a classical channel, for transmitting discrete messages, permits only one from 
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a collection of discrete signal values which can be amplified by many quantum systems on 
the channel, for instance a macroscopic electrical wire with tension +5V for and — 5V for 
1. So, a classical channel forces the measurements to be done for making classical signals i.e. 
Alice and Bob have to really measure their quantum states to make classical messages. The 
real joint computation with communication by measuring and transmitting classical values 
via a classical channel is not an evolution of a pure two-party state. In other words, as the 
action of measurements "can never help a cheater"—, why it does not prevent Alice from 
cheating? 

This point was only explained in Mayers' version where the measurements for making 
classical messages were considered^. Following Mayers, Alice and Bob would keep all of 
the operations at the quantum level, except for making classical messages. Thus, for each 
classical message 7, the corresponding quantum system is collapsed to a known pure two- 
party state |VVy)a.b> an d the trade-off between the concealment and the binding is separately 
treated for this state, i.e. if the collapsed protocol conceals: 

F 7 = F(p 7 B (0),p 7 B (l)) 

= F(tr A (\^o tl ) (^0,71)^(^1,7) (^1,7 1)) 

> 1 - e (3) 
then Alice has a unitary cheating transformation Ua,*/ with possibility of success 

I (^ , 7 I U A , 7 \ipi,j) I = F i > 1 - e - ( 4 ) 

III. THREE-PARTY MODEL FOR A MACROSCOPIC CLASSICAL CHANNEL 

We suppose that Alice and Bob implement a two-party protocol, communicating quantum 
signal via a quantum channel and classical signal via a macroscopic channel. As analyzed in 
Section III the communications of quantum messages make only repartitions of quantum 
computation systems in Alice and Bob's machines. We also suppose that Alice and Bob have 
unlimited quantum machines for purifying all private classical random variables. Neverthe- 
less, the measurements for making classical messages to be exchanged via the macroscopic 
channel cannot be purified by Alice's and Bob's dices. 

It is natural to interpret that in reality a classical channel is coupled with the environ- 
ment where the decoherence is so strong that the messages transmitted on the channel are 
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measured by a CNOT-like gate, copied, and amplified by an infinite quantum systems in 
the environment, i.e. a basis qubit \i) becomes \i) ® I^e^^- 

Suppose that the process of communication of classical message via a classical channel 
as follows: 

1. The sender S G {A, B} has to measure some quantum state \ip) AB with an apparatus 
with n degrees. This measurement will output i G {1, with probability p(i) and 
let the measured system in a state IV^ab- 

j 

where Hb ( s is for the macroscopic part in the measurement device lost to the environ- 
ment that causes the impurity of sender's state. 

2. The sender sends the signal % via a macroscopic channel where the signal can be 
infinitely amplified by the environment E: 

\i) s -> \i) E - 

3. The signal is amplified, and propagates to the receiver's device, where the corre- 
sponding quantum state \i) will be generated for the receiver's quantum machine 
R = {A,B}\{S}: 

\i) E -> \i) E ®\i) R . 

Therefore, this process is a unitary transformation acting on a pure state, but in a larger 
space covering Alice's, Bob's machine and the environmental systems amplifying the signals: 

n 
i=l 

where £"* denotes all systems of the environment, and S, R denote the controllable quantum 
systems in Alice's and Bob's machines. The initial states of systems amplifying classical 
messages process are not important, and denoted by \0) SRE:t . So, by introducing the en- 
vironment systems E*, the execution of the protocol is seen as a deterministic unitary 
evolution of the global three-party state lying in Ha <8> 7~Cb ® He*- 

Here, T~Ce* is not controlled by any participant, and the configurations of the protocol are 
not pure states lying in a two-party space for quantum systems in Alice' and Bob's machines 
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anymore. In fact, it is a three-party model where the systems in E* play a passive role via 
the CNOT gates. 

Therefore, the protocol is a deterministic computation in a three-party space and the 
configuration of the protocol at any moment can be described by a known pure state in the 
form of 

N 

!*(&)) = E V 7 ^) l<>^ Ma lOs Mb)) AB (5) 

i=l 

where i is any possible classical message, and \i) A , \i) B appear for the fact that Alice and 
Bob should duplicate and keep a record of the classical messages forever in their machines. 
For the security on Bob's side, the protocol has to assume 

F(p B (0),p B (l))>l-e (6) 

where p B {b) = tr E .{tr A (\V{b)) (*(6)|)). 
Obviously, 

F(p B ' E *(0),p B > E *(l)) < F(p B (0),p B (l)) (7) 

where p B ' E *(b) = tr^(p(6)), and Alice can only control the quantum systems in his ma- 
chine T~Ca- We would expect that this inequality can help to prevent Alice cheating when 
F(p B,E *(0), p B,E *(l)) <C 1. However, the inequality happens when information are lost 
during communication via the classical channel. Unfortunately, the environment has only 
honestly amplified the signals and the equality is obtained: 

F(p B > E *(0),p B > E *(l)) = F(p B (0),p B (l)) 

> 1 - e 

because in the description of 1*)^ is exactly the same as \i) A - The classical channel 

is noiseless and does not help. We could recall that a noisy channel could enable us to build 
unconditionally secure primitives' 1 ^. 

There exists a unitary transformation Ua such that 

K*(0)|tf A |¥(l))|>l-e, (8) 

and Alice can use it to cheat. 

The above purified model exists only if we accept the concept of decoherence that leads 
to the Many Worlds Interpretation of quantum mechanics where the pure global state exists 
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as the multiverse of classical realms corresponding to the collapsed stated This pure state 
may not exist in reality according to the Copenhagen Interpretation, because Alice and 
Bob should be in one of N situations, provided a collapsed state \i) A \i) B \ipi{b)) AB with 
the corresponding probabilities Pb{i), i-e. we are provided instead a statistical ensemble 

a \Vb 

In that case, Alice's average cheating possibility over all occurrences of exchanged classical 
messages can be measured by 

N 

y/Po(i)Pi(*)\ (^(0)| (i\ U A \i) Ml)) I > I (vP(0)| U A \*(1))\ 

i 

> 1 - e (9) 

We see that, a protocol mays not necessarily conceal against Bob for all collapsed sub- 
protocols but on average; and then Alice mays not successfully cheat for all collapsed sub- 
protocols but on average, cf. Eqs. (jSJ), ©. 

In comparison with Mayers' model, we see that these collapsed states are the same as 
\ipb.-y) for i — 7. cf. Eqs. fl3]) (HI). However, we could relax the requirement for each sub- 
protocol, for example, _F 7 could be small for some 7 but the occurring probability of 7 is 
small. Moreover, it can happen that the occurring probabilities of 7 for the commitment of 
and 1 are different, i.e. ^0(7) 7^ Pi(l)- 

The above concealment, cf. Eq. ([6]), suggests to extended the average concealment for 
the protocol based on Mayers' individual collapsed protocols: 

CONC = J2 VpoWpMFi 

7 

If we could measure the average concealment by 

CHEAT' = ^0(7)^(7)1 U A>1 \^i,i) I 

7 

= Yl ^0(7)^1(7)^7 

7 

then CHEAT' = CONC Moreover, as a standard, the concealment can be measured by 

CONC = F f 5>(7)*?(0), $> ( 7 K(1) J • 
\ 7 7 / 
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Normally, CHEAT' < CONC (— - theorem 9.7), but as Bob keeps a record of classi- 
cal message 7 in his quantum state p?(b) the two measures of concealment are identical 
CONC = CONC and then CHEAT' = CONC. 
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Classical channel's dices 



FIG. 1: The global purified model 



In summary, the global purified model which is obtained by the purification of local 
random variables and exchanged classical messages can be illustrated as in Fig. [1] which 
describes the configuration of the protocol at any given moment. This configuration is in a 
pure state: 

W)> = Yl VPbikJJ) \k) ABEif \i) DA \j) Dg \i> k ,i,j(b)) AB 

We represent each entanglement connection via a classical value i,j,k by a line through 
the concerned space. For instance, the real configuration of the protocol corresponding to 
Alice's private outcome i, Bob's private outcome j and exchanged classical message k is 
represented by the bold line in the figure. The execution of the protocol is a sequence of 
deterministic unitary transitions between successive configurations. It is a parallel execution 
of many honest schemes. 

As Alice and Bob have the possibility to keep their dices in their quantum machines, we 
would throw Da to A and Db to B and the the no-go theorem is applied to the model as 
analyzed above. 

Note that, if the purification of local variables \i) and \j) is really possible as Alice's 
and Bob's throw the private dices Da,Db to their quantum machines, the purification of 
exchanged classical messages \k) is more abstract. It is a quantum parallelism of collapsed 
counterparts corresponding to exchanged classical messages as in Mayers' interpretation^: 
the configuration corresponding to the classical message k lies in the region marked by the 
dot line in the figure. 
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This global purification describes the real execution of a protocol only if the Nature 
follows the theory of Decoherence and Many Worlds Interpretation. In any way, it is a 
convenient model for analyzing the average values of concealment and binding of general 
protocols. 

Logically, we are allowed to reduce this three-party model to a pure quantum two-party 
model by making \i) Ei( disappear as this is only a redundant copy of \i) A \i) B . The frontier F\ 
at the limit of Alice control gives Bob the same information as at F2. However, this reduced 
pure quantum two-party model only emulates the real protocols logically, not physically. 
Thus, the reduction could not be evident without a physical interpretation. 

IV. TRUSTED THIRD-PARTY PENALIZED BY NO-GO THEOREMS 

Because of the no-go theorem on two-party protocols, we could be satisfied to use a 
trusted third party for unconditionally secure computations. It is trivial when we have a 
trusted third party for implementing these protocols. For instance, in an oblivious transfer 
protocol, Alice sends bo, b\ and Bob sends c to Trent who is honest; Trent sends b c to Bob. 

In a general case, we construct a trusted two-party circuit for any desired computation, 
with some inputs from Alice and Bob, and some outputs back to Alice and Bob. The 
execution time of the computation done by the oracle is an elementary unit, and the results 
are immediately returned to the users. We name such trusted third-party as two-party oracle 
model. 

In this section, present an extension of the impossibility of quantum bit commitment and 
oblivious transfer for some common quantum two-party oracle models. 

A. Quantum Resource-Limited Oracle 

In the actual situation, we may have a quantum oracle but with limited resources. A 
common kind of quantum oracles is the quantum-circuit model where the oracles are built 
as quantum circuits for the required function without any resources. This model of quantum 
oracles is much used in quantum computation^. 

However, such a quantum oracle would have to throw information acquired by measure- 
ments during the computation into another public environment to re-initiate its private state 
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for further usage. Thus, the configuration of any two-party protocol using this oracle is not 
correlated with the private resources of the oracle. So, such a short-term oracle cannot help 
to build secure two-party computations, for long-term usage. 



B. Quantum Post-Empty Oracle 



We define here a class of quantum oracles as quantum circuits with some private resources 
for the inputs but sending all of the outputs to the users. 

Definition 4. A Post-Empty Oracle (PE-O) is defined as a two-party oracle that implements 
any specified algorithm, using some local variables. In the end of the computation, the oracle 
splits all of the final variables, including the local ones, and sends back one part to Alice, 
one part to Bob. 

Figure [2] illustrates a quantum PE-O: it receives quantum signal for inputs from Alice 
and Bob; initializes necessary local variables to |0); applied the required computation to 
these inputs; and at the end splits all of the outputs, including the local variables, into two 
parts, redirects one part to Alice, and one part to Bob. 

Alice's input Bob's input 
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split 



Alice's result 



Bob's if. ill 



FIG. 2: Quantum Post-Empty Oracle 



We can extend the no-go theorems to more general quantum two-party protocols having 
access to PE-Os: 

Theorem 1. We cannot build secure quantum bit commitment and oblivious transfer pro- 
tocols with quantum PE-Os. 
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It is then sufficient to prove the theorem for the deterministic purified reduced model. 
The interpretation for general protocols with classical communications has been analyzed in 
Section IIHI 

Proof. (Sketch). In fact, when the oracle splits all of quantum input and local variables 
which participate to the computations to Alice and Bob, the global configuration is in some 
known pure state, according to the algorithm, in a two-party space. Thus, such a model 
cannot implement bit commitment and oblivious transfer. 

Indeed, for the commitment of b, Alice, Bob and the oracle must prepare three quantum 
systems A, B and T, characterized by 7i = 7i A ®~Hb® 7~Lt, initially in some determined 
pure state 

W)) = W)U®|o> Tl -|o>T n 

where n is the number of requests that Alice and Bob appeal to the oracle during the 
protocol, and Tj is the local quantum variable used in i th call. 

At any step, after i calls to the oracle, the configuration of the protocol is 

|* 4 (6)> = u(mb)) AB \o) ABl - low ® |o) Tl+1 - |o) Tn , 

for a certain U where the system Tj has been split into ABj. The corresponding partial 
configuration at Bob side will be: 

p B (b) t = tr AT (\y(b)) <¥(6)|). 

Then, we see that after the commitment phase, at a certain step c, when (0) = pf (1), there 
exists a unitary transformation U A acting in 7i A that maps |\P C (1)) into |^ c (0)). Therefore, 
Alice can cheat by switching the partial configuration with the operators U A and . □ 

C. Quantum Trivial Oracle 

A trivial case is that we may have an oracle with unlimited resources, but it could not 
hide information from Alice and Bob. 

Definition 5. A Quantum Trivial Oracle is defined as a two-party oracle which implements 
the computation of any two-party function. The oracle can be coupled with a quantum system 
O. But whenever the oracle acquires information into its memory O by measurements, the 
information is thrown into the public environment and observed by Alice and Bob. 
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Then, more generally, we can extend the no-go theorems to quantum protocols based on 
such trivial oracles. 

Theorem 2. We cannot build secure quantum bit commitment and oblivious transfer pro- 
tocols based on Quantum Trivial Oracles. 

Proof. (Sketch). Let's return to the global model purifying classical messages of a quantum 
two-party protocol, cf. Eq. (jSJ). In a protocol having access to quantum trivial oracles 
with a supplementary system O, we can throw all of systems in O to the global third party 
environment E*. As the oracles send copies of the information thrown to O to Alice and 
Bob, the global configuration at any moment of a bit commitment protocol is in the same 
form of 

N 
i=l 

and if the protocol does conceal then it cannot be binding. 

In summary, in this three-party model involving Alice's machine, Bob's machine and the 
systems in E*: 

• The systems in E* do not hide information from Bob in a bit commitment scheme. 
The global model can be considered as a two-party model Ti^ ® {'He* ® J~Cb) where 
7~Ce* ® Wb is for what Bob can learn about Alice's secret and H,a is for what Alice can 
fully control to cheat. 

• The systems in E* do not hide information from Alice in an oblivious transfer scheme. 
The global model can be considered as a two-party model (Ha ®'He*) <8> 7~Cb where 
Ha&i'He* is for what Alice can learn about Bob's secret and H,b is for what Alice can 
fully control to cheat. 

□ 

In our interpretation in Section IIIH the macroscopic channel for Alice and Bob commu- 
nicating classical information plays the role of a trusted oracle. But this oracle is trivial as 
it publicly measures the quantum systems of Alice and Bob machines, and the measurement 
results are observed by Alice and Bob. The measurements for making classical messages are 
not information-erasing in the joint view of Alice and Bob. 



17 



V. COIN-FLIPPING BASED PROTOCOLS 



Corollary 1. Coin Flipping based Quantum Bit Commitment and Quantum Oblivious 
Transfer are impossible. 

Kent shown a similar result. In his paper, he established a relativist model to im- 
plement coin flipping. With the model of quantum two-party oracle, we make the statement 
more comprehensible from a non-relativist point of view. 

Proof. We can state that coin flipping is weaker than bit commitment and oblivious transfer 
in a reduction style. Indeed, we suppose that Alice and Bob have access to a PE-0 that 
creates a pair of qubits in Bell state |$+) = (10)^ |0) B + |1} b )/v2 and sends each part to 
a user. With such a PE-O, Alice and Bob has a fair quantum coin that can realize classical 
coin flipping: Alice and Bob measure |$+) in the same basis {|0) , |1)} to share a random 
bit. However, quantum bit commitment and oblivious transfer are not realizable with this 
PE-O, as shown by Theorem [TJ 

Besides, we show here a more direct proof for protocols based on classical coin flipping. 
Suppose that Alice and Bob have access to an oracle that generates classical random coins 
and send two copies to Alice and Bob. In fact, the pair of classical coins is a probabilistic 
ensemble of |0) A |0) B , \1) A \1) B with probabilities 1/2, 1/2: 

P AB = (Mb) (0 a 0b\ + |U1b) <Ulfl|)/2 

These coins should be represented by a pure state in an augmented model as though they 
are entangled with a third-party system O. 

\C) = ^T/2(\0) A \0) B \0) o + \l) A \l) B \l) o ) 

Thus, the oracle which implement a classical coin flipping protocol is trivial regarding Defi- 
nition [5] and cannot help to implement bit commitment. 

Indeed, suppose that a quantum bit commitment protocol requires Alice and Bob to 
share random coins at some steps. Recall that just before the first call to the oracle, the 
quantum configuration of the protocol, realized by two-party operations of Alice and Bob, 
is in a state \^(b)) = J2iLi \/Pb{i) \^)e* V) a N)b Eq. jSD- After receiving the 

coins, the configuration becomes 

|tf(&)> ® \C) = Vp&)/2\ij)E* \ij) A lv>a \MV))ab 

i=l..N,j=0..1 
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where O is thrown to E*. Therefore, by induction, with any successive unitary transfor- 
mation on A, B ands request for random coins to the oracle, the global configuration of the 
protocol remains in the penalized form, cf. Eq. (jSJ). With this quantum configuration, bit 
commitment and oblivious transfer are impossible. 

From the view point of Copenhagen Interpretation as in Mayers' proofs, the quantum 
configuration of joint computation just before a request to the coin flipping subroutine 
is a projected state \ipi) AB which is known to Alice and Bob according to the exchanged 
messages i. Now, the coin flipping subroutine provides either |0) A |0) B or \1) A \1) B with equal 
probability. However, once the coins are provided, Alice and Bob know which coin they have, 
and the global state is accordingly a known state AB <8> \0) A \0) B or \4>i) AB <S> \1) A |1) B . 
And the no-go theorems can be applied to each of these collapsed pure states. □ 

VI. REVERSIBILITY VS. IRREVERSIBILITY 

The topics of reversible computation are mostly studied in relation with Landauer's prin- 
ciple of thermodynamical reversibility when resolving the paradox of "Maxell's demon:" the 
erasure of one bit of information in a computational device is necessarily accompanied by a 
generation of kT In 2 heat^£>2L2£ 

A remarkable result from Theorems dj El is that, unconditionally quantum secure oblivious 
transfer and bit commitment can only be made with help of a trusted third party which hide 
some information from Alice and Bob. It implies that we have to have a trusted third party 
which causes an logical erasure of information and so, similar to Maxell's Demon, generates 
heat, cf. Fig. [31 It is convenient to see that the third party has limited resource, and if Alice 
and Bob invoke the request for many times, it begins to erase its private memory by reset 
all to |0) or to overwrite its memory and thus generate heat. 

Corollary 2. Any quantum implementation of unconditionally secure oblivious transfer and 
bit commitment requires erasure of information from the joint views of Alice and Bob, and 
thus causes thermodynamical reversibility and leads dissipation of heat to the environment. 

One question is that: Is any process implementing unconditionally secure oblivious trans- 
fer and bit commitment logically irreversible? 

An intuitive response from is Yes. Because, there are many positive witnesses. 
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It was shown that any logically reversible computation could be thermodynamically re- 
versible and implemented without heat dissipation, and vice versa, any thermodynamically 
reversible computing process must be logically reversible^ 1 ^. Moreover, it was shown that 
any computation could be logically reversible, by Turing machine model^ or by logic circuit 
models^ 1 ^. So, all two-party protocols are logically invertible: 

• In a classical protocol, Alice and Bob can do any local computation reversibly^, for 
instance by using universal reversible gates instead of normal irreversible gates AND, 
OR, Therefore, the joint computation is a reversible process over all variables 
at Alice and Bob locations. 

• In a quantum protocol, we expect that measurements will achieve some erasure of 
information. However, Alice and Bob can keep all of computations at the quantum 
level without measurement, even the final measurements because in an ideal protocol 
the users should learn the results with certainty. 

• Then in the end of the protocols, Alice and Bob can make a copy of the results, and 
undo all of the operations to reestablish the t her mo dynamical condition. 

This result is intuitively conformed to the impossibility of the implementation of oblivious 
transfer and bit commitment by any two-party protocol. 

Evidently, when the users deny this behavior by throwing private information then the 
erasure appears and we can build bit commitment and oblivious transfer protocols. For 
instance, we could implement oblivious transfer by forcing Bob to measure the quantum 
signals^. However, it is not that the erasure of information is sufficient for implementing 
secure computations. For instance, as analyzed in Section 1111} in a general two-party quan- 
tum protocol with classical communication the measurements for making classical messages 
can be logically seen as unnecessarily copying some information to the external environ- 
ment. The global process is then logically reversible, though physically irreversible. In real 
protocols, we make unnecessary amplification of information to the environment and cause 
unnecessary dissipation of heat. 

Besides, Rabin's oblivious transfer is equivalent to a logical erasure channel. Thus im- 
plicitly, any logical process that emulates Rabin OT would require the logical erasure of 
information, such as noisy channels^ 1 ^. And oblivious transfer may not be implemented by 
any logically reversible computing process in the joint view of Alice and Bob. 
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FIG. 3: Secure two-party computations must be logically information-erasing? 

However, it's interesting to analyze this problem in two-party oracle based protocols. 

For quantum protocols using quantum oracles, the response is from Corollary [2l We see 
that quantum two-party oracle based protocols for oblivious transfer and bit commitment 
require some entangled information, hidden or erased from the views of Alice and Bob. 

Nevertheless, we realize surprisingly that a classical oracle for oblivious transfer, and so 
bit commitment, can be made with unitary transitions. For instance, a simple classical 
circuit for oblivious transfer with 2 input wires from Alice for {bo,bi}A, ^ input wires from 
Bob for {c, x}b, is built for the unitary transition: 

{bo, h} A {c, x} b -> {b , h}i{c, x © b c } B 

where x is an auxiliary input for Bob to store the received bit. This transition is one-to-one 
and so there exists a reverse transition for it. Suppose that Alice and Bob send the inputs 
to the oracle, get the outputs, make a copy of the result, and send the outputs to an other 
oracle with the reverse transition which would reestablish the thermodynamical condition 
for the first oracle. 

So, could Alice and Bob realize oblivious transfer and bit commitment for free, i.e. with- 
out dissipation of heat, by this way? Could classical world beats the quantum one in this 
thermodynamical battle? 

The response would be no, because the ultimate laws of macroscopic behaviors are gov- 
erned by quantum theory. Here, we must assume that the classical oracle receives classical 
signals and treat them by a unitary transformation. In other words, the classical oracle is 
necessarily classical, acting in the classical world, not quantum superposition one. 

However, a process is necessarily classical only if it is collapsed to the actual state of 
the environment. From this quantum view, a logical necessarily classical bit is necessarily a 
observable binary state, entangled with and amplified by the environment. This observation 
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leads some information to be stored somewhere in the outer space, and must cause an entropy 
increase in the external environment. 

VII. CONCLUSION 

In summary, we have proposed an detailed interpretation of general quantum two-party 
protocols where the execution is seen as a deterministic unitary evolution of a pure state 
covering all quantum systems including Alice's and Bob's quantum dices purifying random 
variables and local measurements, and environment's dices when a macroscopic channel is 
used for transmitting classical information. 

Thus, the global state is a pure three-party state, not two-party state, where the envi- 
ronment's dices are not controllable by neither Alice nor Bob. However, this impurity does 
not help to secure bit commitment and oblivious transfer protocols. The state can be then 
seen as a two-party one where the environment only amplifies classical information given 
to the observer, while the other part can be fully controlled by the cheater. Therefore, the 
environment do not hide information from Bob in a bit commitment protocol, and from 
Alice in an oblivious transfer protocol. 

Obviously, secure two-party computations' primitives can be built with help of trusted 
third-parties. However, we have shown that the no-go theorems can also be applied to 
protocols that use trusted quantum third-parties for computing any two-party function but 
which are short-term, i.e. they are built with limited resources and have to throw information 
to the public environment; or post-empty, i.e. they splits and redirects all output quantum 
variables to Alice and Bob; or trivial, i.e. they do computation with public measurements 
only. Obviously, coin flipping belongs to this class of trivial oracles. 

These works implied that two-party oracles for implementing unconditionally secure com- 
putations are required to hide or erase information and considered as dissipation of heat. 
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